Title : ( Causal Knowledge Analysis for Detecting and Modeling )
Authors: Ali Ahmadian Ramaki , Abbas Rasoolzadegan ,Access to full-text not allowed by authors
Abstract
In order to understand the security level of an organization network, detection methods are important to tackle the probable risks of the attackers malicious activities. Intrusion Detection Systems (IDSs), as detection solutions of the defense in depth concept, are one of the main devices to record and analyze suspicious behaviors. Besides the benefits of these systems for security enhancement, they will bring some challenges and issues for security administrators. A large number of raw alerts generated by the IDSs clearly reflect the need for a novel proactive alert correlation framework to reduce redundant alerts, correlate security incidents, discover and model multi-step attack scenarios, and track them. Several alert correlation framework have been proposed in the literature, but the majority of them address the alert correlation in the off-line settings. In this paper, we propose a three-phase alert correlation (3PAC) framework, which processes the generated alerts in realtime, correlates the alerts with the aid of causal knowledge discovery to automatically extract causal relationships between alerts, constructs the attack scenarios using the Bayesian network concept and predicts the next goal of the attacks using the creating attack prediction rules. Experimental results show that the scalable proposed framework is efficient enough in learning and detecting known and unknown multi-step attack scenarios without using any predefined knowledge. The results also show that the proposed framework perfectly estimates complex attacks before they can damage the assets of the network.
Keywords
, Network Security, Intrusion Detection System, Alert Correlation, Attack Prediction, Causal Knowledge.@article{paperid:1059789,
author = {Ahmadian Ramaki, Ali and Rasoolzadegan, Abbas},
title = {Causal Knowledge Analysis for Detecting and Modeling},
journal = {Security and Communication Networks},
year = {2017},
volume = {9},
number = {18},
month = {January},
issn = {1939-0114},
pages = {6042--6065},
numpages = {23},
keywords = {Network Security; Intrusion Detection System; Alert Correlation; Attack Prediction; Causal Knowledge.},
}
%0 Journal Article
%T Causal Knowledge Analysis for Detecting and Modeling
%A Ahmadian Ramaki, Ali
%A Rasoolzadegan, Abbas
%J Security and Communication Networks
%@ 1939-0114
%D 2017